Open northdpole opened 10 years ago
devbhanudev
commented
10 years ago in case of validating javascript code
northdpole
commented
10 years ago @Bhanudev we could use that but I was thinking of integrating a well tested security framework to do this work for us, I haven't found something that fits the jobs yet though :p
a0xnirudh
commented
9 years ago Can we try OWASP PHP security Project ? https://www.owasp.org/index.php/OWASP_PHP_Security_Project
From what I understood, its actively developed and I am sure it will be enough for basic input validations for hackademic. And I hope that they will maintain the current active development unlike ESAPI!
Also may be we can close either this or #81 since both are relating to same issue ?
northdpole
commented
9 years ago yes we can
On 19.03.2015 05:58, Anirudh Anand wrote:
Can we try OWASP PHP security Project ? https://www.owasp.org/index.php/OWASP_PHP_Security_Project
From what I understood, its actively developed and I am sure it will be enough for basic input validations for hackademic. And I hope that they will maintain the current active development unlike ESAPI!
Also may be we can close either this or #81 since both are relating to same issue ?
Reply to this email directly or view it on GitHub: https://github.com/Hackademic/hackademic/issues/57#issuecomment-83321731
a0xnirudh
commented
9 years ago From what I think, we can use stripslashes() + escape string function in PHP when ever we takes a user input to store it to database and before bringing any user input back to screen, simply pass through htmlspecialchars() with ENT_QUOTES enabled. I think this is enough as a protection and don't need to add other frameworks like PHP security project I mentioned above.
Main issues we deal with are SQL injections and XSS I guess which can be soled from above. For CSRF tokens and stuff, we can use an already existing library (which wouldn't be much difficult). I don't think we will be handling other types of issues here is it ? Am I missing something ?
northdpole
commented
9 years ago we're already using something for csrf and for sql for xss I think we're already escaping stuff but I may be wrong :)
On 13.09.2015 11:47, Anirudh Anand wrote:
From what I think, we can use stripslashes() + escape string function in PHP when ever we takes a user input to store it to database and before bringing any user input back to screen, simply pass through htmlspecialchars() with ENT_QUOTES enabled. I think this is enough as a protection and don't need to add other frameworks like PHP security project I mentioned above.
Main issues we deal with are SQL injections and XSS I guess which can be soled from above. For CSRF tokens and stuff, we can use an already existing library (which wouldn't be much difficult). I don't think we will be handling other types of issues here is it ? Am I missing something ?
Reply to this email directly or view it on GitHub: https://github.com/Hackademic/hackademic/issues/57#issuecomment-139857138
our input validation could be better